[FFmpeg-devel] [PATCH] ogg: Fix OOB write during ogg_read_seek()
dalecurtis at chromium.org
Tue Apr 17 19:32:40 CEST 2012
On Tue, Apr 17, 2012 at 5:28 AM, Michael Niedermayer <michaelni at gmx.at>wrote:
> On Tue, Apr 17, 2012 at 08:52:57AM +0200, Reimar Döffinger wrote:
> > On 16 Apr 2012, at 22:57, dalecurtis at chromium.org wrote:
> > > From: Dale Curtis <dalecurtis at chromium.org>
> > >
> > > Prevents an OOB write of size 4 when ogg_read_seek is called with
> > > a stream_index >= ogg->nstreams.
> > >
> > > In this case s->nb_streams == 3, yet ogg->nstreams == 1 and
> > > stream_index == 1; causing os->keyframe_seek = 1 to write OOB.
> > I think something must have gone seriously wrong at the point where
> those stream counts started to differ and you are just covering up for the
> real bug...
> yes, i think ive found it.
> Fix commited (as i think its better to fix this ASAP, its easy to
> improve later in case a better solution is suggested)
> Ill also add some av_assert0() just to be sure
> and i think the error pathes should be reviewed against being able to
> cause inconsistencies in the stream numbers
Thanks for the fix Michael! I've verified your solution against ASAN.
More information about the ffmpeg-devel